.TH "rpl" "5" "2009-09-28" "ttyrpld" "tty logging daemon suite"
.SH "Name"
.PP
rpl(5) \(em ttyrpld log file format
.SH "Description"
.PP
The logfiles rpld creates are a small variation of the packet protocol as
described in rpldev(4). The \fIdev\fP field is not present. (Since ttyrpld
v2.00, the timestamp is already added in the kernel.) All fields are little
endian and packed, i.e. there are no alignment gaps. The structure is similar
to the struct rpldev_packet:
.PP
.nf
struct rpldsk_packet {
	union rpldev_evmagic evmagic;
	uint32_t size;
	struct rpltime time;
} __attribute__((packed));
.fi
.PP
Possible values for \fIevent\fP equal those listed in rpldev(4), plus the
following:
.IP \(bu 4
RPLEVT_ID_PROG = 0x72703345, /* "rp3E" */
.IP \(bu 4
RPLEVT_ID_DEVPATH = 0x72703346, /* "rp3F" */
.IP \(bu 4
RPLEVT_ID_TIME = 0x72703347, /* "rp3G" */
.IP \(bu 4
RPLEVT_ID_USER = 0x72703348, /* "rp3H" */
.PP
A RPLEVT_ID_PROG is added to each logfile by rpld to contain the program with
which it was created. (rpld in this case \(em but anyone is free to write a
different daemon.)
.PP
A RPLEVT_ID_DEVPATH contains the path of the device node that has been tapped.
There is a special handling case in rpld when multiple device nodes with the
same major-minor number are used at the same time:
.IP \(bu 4
if the first packet rpld picks up for a certain ->dev line (tty) is a
RPLEVT_INIT or RPLEVT_OPEN packet with a dentry name (e.g. /dev/tty1), this
name will be used for this major-minor number
.IP \(bu 4
rpld will look into /dev and take the first pick
.PP
In the default case, you should not worry, as each major-minor number only has
one node in /dev, and even if it does not, you are able to know what tty was
logged, because the dentries are similarly-named.
.PP
RPLEVT_ID_TIME packets carry the time the log was started. This is useful
because the logfile's timestamp on the filesystem may change due to user
interaction.
.PP
Last, but not least, RPLEVT_ID_USER contains the username (or UID if no user
was found) that was being traced. Especially useful when users get removed
after the logs have been recorded.
.PP
All of these four packets are informational ones and are not required for
proper replay with ttyreplay.
.SH "See also"
.PP
\fBrpldev\fP(4)
